Adobe patches Flash – heads off in-the-wild attacks against Windows and Apple users

Hot on the heels of Oracle’s not-on-a-Tuesday emergency patch for Java comes a “Patch Thursday” update from Adobe.

This time it’s Adobe’s Flash player that gets an upgrade, and it sounds well worth applying as soon as you can.

The update heads off in-the-wild attacks against both Windows and Apple users.

A good bookmark for keeping track of Adobe’s vulnerability-related notifications is the company’s Security bulletins and advisories page. As I write this, it links you to Adobe Product Security Bulletin 13-04.

(No, I can’t explain why software vendors are still shy of writing years with four digits. Yes, 2013-04 would be much more self-descriptive, although at least the month/year ambiguity is reduced now we’re past 2012.)

Adobe is aware of reports that CVE-2013-0633 is being exploited in the wild in targeted attacks designed to trick the user into opening a Microsoft Word document delivered as an email attachment which contains malicious Flash (SWF) content. The exploit for CVE-2013-0633 targets the ActiveX version of Flash Player on Windows.

Adobe is also aware of reports that CVE-2013-0634 is being exploited in the wild in attacks delivered via malicious Flash (SWF) content hosted on websites that target Flash Player in Firefox or Safari on the Macintosh platform, as well as attacks designed to trick Windows users into opening a Microsoft Word document delivered as an email attachment which contains malicious Flash (SWF) content.

Mac fans often get agitated when we suggest that their platform might be vulnerable to malware attacks that don’t require explicit user approval.

But even if we assume that Mac users are always well-informed enough to avoid clicking [OK] every time danger looms, this is a reminder that the cybercrooks (or Advanced Persistent Threatsters, if you prefer) consider Macs a fruitful and assailable target.

We’re talking about RCE, or remote code execution, here.

That means a drive-by download, where the usual user interaction, warnings and safeguards in your software are bypassed so that merely reading a web page or viewing a document could result in a surreptitious background install.

Another good bookmark on Adobe’s site is the About page. This uses a Flash object to see if you have a Flash Player installed, and will report the version number if you do.

You can then compare the version number shown with the recommended versions and thus easily check how well-patched you are:

As we’ve bemoaned before, Adobe’s versioning varies wildly by operating system and by browser. There are four numbers in the version string, but only the leftmost is constant throughout all supported platforms.

You need version 11 on every platform, but your full version string will be constructed from the following dizzy set of combinations: 11.{2,3,5}.{31,202,379,502}.{14,139,149,223,262}.

And Adobe’s updater is still as anti-social as ever, at least on my Mac.

I don’t let Flash update itself, preferring to be notified or to check for myself when I hear there’s something available, like now.

That usually means opening the handy About page mentioned above, and, when needed, using the Flash Player preference pane in System Preferences:

Adobe’s update does rather take over at this point, forcing me to shut down a raft of applications, which it doesn’t re-open for me afterwards. (If I don’t let it do so, and want to wait to finish the update later, it downloads the whole update again, even if it’s the same version it fetched before.)

And when it’s done, it’s always dead keen to get me to reconsider the business of automatic upgrades, which I presume also means automatically force-closing my applications:

Maybe I’m a bit old fashioned, but I prefer to pick the moment for my updates, especially as I use a variety of networks at a variety of costs.

Despite these minor gripes, though, finding out what’s changed in Flash, and whether I need to upgrade, is pretty easy these days.

And getting the update is easy enough, if you overlook the force-close of your applications.

Over to you…